Advanced NMAP (NSE Scripts)
Prerequisites
- PFSense/Router VM
- Domain Controller
- Kali VM
Goals
- Understand how to use NSE Scripts
- Try NSE scripts inside of the lab
Get Started
With the PFSense, Domain Controller and Kali virtual machines booted we’re going to test out a few NSE Scripts. NSE scripts allow NMAP to have additional functionality when talking to different protocols. For example, the “smb-os-discovery” script allows Nmap to identify the target operating system, and what domain it is on.
smb-os-discovery
With the command below we are able to use the smb-os-discovery script.
nmap --script smb-os-discovery <target ip>
In our lab the expected output of running this against the domain controller is below.
http-title
The HTTP Title script is quite an underrated script. It simply retrieves the title of the index page of a web server. This can be extremely useful when you have to scan a large network with a number of web servers. If there was a lot of uninteresting web servers but then a Citrix environment it can quickly identify this.
Command
nmap -p80 --script http-title <target ip>
The output of this against one of our IIS servers is below.
dns-brute
The DNS Brute script is one of my personal favorites. It uses a wordlist and a target domain to brute force subdomains. A script like this has the potentially to uncover administration pages, VPNs and a whole lot more. This can really change the direction of a pentest.
nmap --script dns-brute <target domain>
Further Reading
If you have any NSE Script suggestions, leave them here!